by: Quality Institute of America (QIA)   |   published on: Nov 11, 2016


Although Risk Based Thinking is something new in the formal ISO 9001:2015. However, the concept has been the basis of Quality Management Systems since its inception in the US Military, and then brought into the civilian arena by the International Organization for Standardization (ISO Standard).


The base methodology for handling risks was also developed by the US Military in the 1950’s for reducing failures in equipment in the materiel. The core methodology was and is called Failure Mode and Effects Analysis (FMEA). Initially it was used by Reliability Engineers but was readily adopted by industries for improving Quality and Reliability.


In the manufacturing arena, Quality Engineers use Process Failure Made and Effect Analysis (PFMEA) version, while Design Engineers use the DFMEA version.


The processes and tools are explained below. A demonstration of the system can be seen by contacting us.




Technically, Risk is defined as effect of uncertainty on objectives. Risk Management is defined as an organization’s response to a defined risk and management of its consequences. An effect is a deviation from the expected — positive and/or negative. We will concern ourselves with only the negative effects of risk, and build systems to avoid those that need to be avoided, and deal with escapes.

  • Risk Management can be seen as consisting of the following components:
    • Risk Assessment: This consists of a systematic method for identification, analysis and evaluation of risk:
      • Identifying a Potential Failure Mode in a component of the Quality Management System, such as a work process or a result of the work process, such as a product at various points of its’ life-cycle. Some people just name this as the Risk Management.
      • The next step is to identify the effect of the potential failure mode. Some call it the Consequence. The Consequence needs to be given a score.
      • Failure Mode and Effects Analysis (FMEA). It is common to identify potential cause(s) of the Failure Mode. This becomes useful for refining the analysis, since the nature of the cause could affect ultimate Effect (Consequence).
      • Corresponding to the cause, current preventive controls are identified that should prevent the risk from occurring.
      • A final step in the analysis is to assign a measure of the Consequence of the Risk Management, should it happen under current control mechanisms. This RPN (Risk Priority Number) is usually a product of the Consequence, times the (probability of) Occurrence, times the (difficulty of) Detection. Some companies use sum of these metrics (S, O, D commonly remembered as SOD).
    • Risk Management: This consists of Risk Assessment, Risk Prevention, Contingency planning, and disseminating Lessons Learned.
      • Risks with high RPNs need to be addressed.
      • Risk Prevention consists of addressing the potential causes, by planning a Preventive Action, which would change some aspects of the current system process(es), thereby reducing the RPN from the unacceptable level to a level that is acceptable, or tolerable.
      • The potential causes could be removed, the likelihood reduced.
      • A contingency plan should also be done, in case the Preventive Action does not work as planned.



The following tools can be used for conducting the various components

Risk Assessment:

The Risk Assessment process shown above helps evaluate the overall Consequence(s) in case the risk did materialize. Although risk is always in the future, methods of identification could use events in the past (including immediate past) like nonconformance’s, product failures, customer complaints, and other such undesirable events. Risks could also be identified as part of forecasting exercises like studying product performance data over time, judgment call by experts regarding economic or political trends, customer feedback data, etc.

The whole idea is risk management through risk prevention. The flow chart shows the evaluation of consequences, and the end result is a Risk Priority Number (RPN). The RPN is calculated as the product of Severity, Occurrence and Detection. These are evaluated separately on a scale of 1 to 10, with 1 as the least and 10 as maximum. For example Death with be a 10, and a minor scratch would be a 1. Occurrence is for the probability that the consequence will occur: high probability associated with high numbers on the 1 to 10 scale. Detection is measured as the difficulty of detecting the consequence: Higher numbers (max 1000) are associated with difficult to detect, and a 1 would be associated with those consequences that are readily detectable.

Different causes could have different consequences, and then the Risk Assessment should be done for each consequence.

Root Cause Analysis (RCA):

The Root Cause Analysis (RCA) is a popular term, although it is seldom one lone “root” cause that we should be concerned about. Most of the time there are multiple causes, and they should identified.

The 5-Why and the Fish Bone methods are popular and intuitive and effective methods for finding causes for the different consequences.

They are based upon Cause and Effect analysis. The 5-Why asks why several times until it is felt that enough causes have been determined, starting with the immediate cause, then Contributory, and finally the Root Cause.

The fish bone method is more of a graphic depiction of the Cause and Effect logic.

Local Prevention:

Local prevention is a methodology of taking steps to prevent the identified risk from occurring, which is the essence of Risk Management. The term Local signifies a more limited scope of application, as opposed to a global scope, which is shown below.

In local prevention, steps are taken to avoid the conditions that would enable the risk to occur. This consists of eliminating the cause(s), through a well-planned solution. This consists of the developing the solution, implementing it, verifying that the solution was implemented properly, and then finally validating that the cause was in fact eliminated, and that the risk did not occur and will not occur.

Many times, it is not possible to completely eliminate all cause, and just a reduction of the risk is deemed acceptable.

Global Prevention:

Once local prevention has been deemed effective, the organization is look into globalizing the solution, or a modified version of it.

This consists of a process to identify other similar possibilities of risk, in other parts of the organization, and then implement the solution.

Some other elements of globalization are adding to the Knowledge base through a data-base with an effective search capability. This would be a valuable part of the overall “Knowledge Management” function of an organization.

Another element would be the preparation of contingency plans in case the risk does occur.

Management of Change (MoC):

Changes in an organization’s processes could introduce risks that emerge as a result of making the changes.

The three processes described above can be used in different combinations to manage these changes so as to minimize risks, and thereby contribute to overall risk management.

ISO Standards on Quality Management Systems (QMS) have evolved since 1987 through ISO 9001:2015 and matured to a level that now the standard requires users to engage in Risk Management through a process of Risk Based Thinking.

Practitioners will likely notice that the Corrective Action & Preventive Action processes of earlier standards have always incorporated these risk avoidance principles.


The avoidance of risk has been the core motivator for the design of Quality Management Systems and Standards to facilitate same. The new ISO 9001:2015 has finally brought this to the forefront, with about seventy five references to risk, risk management based thinking and “opportunities”, a positive rendition of risk.


The tools described above should assist the user to address risks, all the way from identification to close out on a global basis. Students of Quality Management Systems will notice that the amalgam of the different tools can be considered to be a complete treatment of the erstwhile Corrective and Preventive Actions in previous Quality Management Standards QMS. In fact, some companies may elect to string the different components together to produce a robust Corrective Action and Preventive Action!. The difference is that the concept of “Risk Based Thinking” encourages users to think through what applies to particular circumstances and use the best combination. For example, the chain of techniques could be aborted when appropriate.


Risks could be identified from Nonconformance, in which case the resultant string would be a traditional Corrective Action. Risks that are forecasted (without Nonconformance) would result in the traditional “Preventive Action”.


QIA offers a wide variety of professional services, such as, ISO 9001:2015 consulting and training to assist in transitioning from ISO 9001:2008 to the new 2015 standard. In addition, We offer consulting, Auditing and Training for a wide variety of standards.

  Quality Institute of America

8951 Ruthby Street #15,
Houston, TX 77061, USA

Tel : (281) 335-7979
Fax : (832) 582-8504
E-mail :,
Business Hours : 8:00 AM - 5:00 PM

  Asia Office

House# 14, Road# 1/A, Block# J,
Baridhara, Dhaka, Bangladesh

Tel : (880-2)-9854911
E-Mail :
Business Hours : 9:00 AM - 5:00 PM

Copyright © 2014 - QIA